Why governments don't need RIM to crack the BlackBerry

The United Arab Emirates' Telecommunications Regulation Authority (TRA) announced on Sunday that it would be suspending BlackBerry "messenger, e-mail and Web-browsing services" in the country from October 11, until these "applications were in full compliance with UAE regulations." Given the popularity of the BlackBerry platform in the country (an estimated 500,000 users from a population of 4.5 million) one can only assume that we are seeing a form of brinkmanship--with the privacy of e-mails, IMs, and website visits at stake.

But what is it, exactly, that the UAE wants from Research in
Motion (RIM), the maker of the BlackBerry? If it gets what it wants, how would
it affect journalists and readers who use RIM products? And what will it mean
for the UAE if RIM refuses to back down?

UAE says that the problem lies in "legal accountability,"
and the location
of RIM's servers abroad, but it's not as though RIM is unique in this
matter. Both the Apple iPhone and Google's Android mobile phones both offer
features with servers located outside the UAE (the iPhone's notification system
is operated by Apple, and the Android offers GMail and GTalk, a US-based e-mail
and IM system). And it's not just the UAE that has pondered making RIM a
smartphone non grata. India,
China, and Bahrain have
all challenged RIM to make its networks accessible to the authorities. Why have
they all targeted RIM, while ignoring others?

RIM's vulnerability to government pressure is largely down to
an accident of its history--one that paradoxically makes RIM both seem the
perfect potential spying partner for governments, as well as make it commercial
suicide for them ever to adopt such a role.

The BlackBerry was first introduced in 1999, when the idea
of e-mail and browsing over mobile networks was relatively new, and building an
affordable mobile device that could provide those services was a novel
technical challenge. To keep the BlackBerry cheap, and work around deficiencies
in the existing mobile data networks, RIM did much of the heavy lifting itself.
It built its own network and servers to keep track of the location of
individual BlackBerrys. RIM's own network also took up the burden of
translating the complexities of the Internet into a form the relatively dumb
and slow BlackBerry units could understand, and compressing the data to be
faster and less burdensome on slow wireless networks.

Networks have grown better and smartphones smarter since
then, but RIM's original network design has remained largely unchanged. E-mail
and other data arriving from the Internet still comes to RIM's network first,
and then is repackaged and dispatched to the correct BlackBerry over the
wireless networks.

RIM's unusual position as the constant middleman in every
BlackBerry exchange has proved to be catnip to state security services. If RIM
is the go-between of every communication, surely it would also be the perfect
stop for tapping BlackBerry e-mail and communications? That seems to be the
opinion of India, Bahrain, and
now the UAE, all of whom have been putting pressure on the company to give them
access to its servers. The UAE, in particular, seems to think that this is already a given
in other countries, which may have prompted its particularly hard line.
According to the English-language Bahrain Tribune, the TRA noted that
"BlackBerry appears to be compliant in similar regulatory environments of other
countries, which makes non-compliance in the UAE both disappointing and of
great concern."

There's no direct evidence that RIM has provided such
access, but RIM's vulnerable role has also provoked suspicion from its own
corporate and government customers. When Obama fought
to keep his BlackBerry after becoming president, the opposition was fueled by
the government's security professionals' discomfort the idea that all the president's
mail would pass through a third party server (and a Canadian third-party at
that). France's
Nicholas Sarkozy went through a similar
battle.

But strong-arming RIM isn't the only solution to spying on
its domestic BlackBerry users, just the most blatant one. In the consumer
edition of the BlackBerry (as opposed to better protected corporate versions),
traffic to RIM's servers still passes largely unprotected over UAE's local
wireless networks, Etisalat and Du, both of which resell BlackBerry services
within the UAE. With the cooperation of these companies, the UAE's government
could build pervasive Internet surveillance of almost all BlackBerry (and
other) Internet traffic, though at far greater cost than just arm-bending RIM
to hand over the goods.

The traffic that it wouldn't be able to decode would be
end-to-end encrypted communications, as is most often enabled by corporate
BlackBerry users. But then, as RIM explained
to the Indian authorities, RIM itself could not decipher this traffic, even
if it did provide government access to its own network.

When asked for comment, RIM confirmed that the corporate
BlackBerry Enterprise Servers (their corporate email/Net system) traffic is
encrypted in a way that they or other third parties could not access, but would
not comment on the unencrypted nature of non-corporate traffic. The security
details of the Blackberry Internet Service (their consumer/mobile company
service) are documented on their
website, which states: "E-mail messages that are sent between
the BlackBerry Internet Service and your BlackBerry device are not
encrypted."

And that's the important lesson for BlackBerry users, both
among journalists and their audience. If you've got end-to-end encryption
activated, neither RIM nor state governments can read your traffic. Most
corporate BlackBerry
Enterprise Servers have the option to turn on encryption. Most
non-corporate BlackBerry
Internet Service systems do not.

The UAE battle with RIM is a distraction to both the UAE's
would-be spies, and those who might fear their power. With suitable technical
investment in domestic Internet monitoring, the UAE can decode a great deal of
BlackBerry traffic without RIM's help. When it comes to secure, encrypted
communications, neither RIM nor any other telecommunication provider will be
able to help them beat the encryption and spy on their own journalists or
readers. The power lies far less in the hands of RIM, and far more in the hands
of savvy Net users' choice of the right tools.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.

I am a journalist in the UAE and have observed the gradual deterioration in the relationship between the government and media. I am speaking from personal experience when I say the the regulatory aspect being enunciated is a distraction from the primary intent.

Even the Kenyan Intelligence services are getting their knickers in a twist claiming that the US donation of 21,000 Blackberries to the Interim Independent Electoral Commission (IIEC) meant the US (read NSA/CIA) were the first to know the results of Kenya's recently concluded referendum on a new constitution.
http://www.techmtaa.com/2010/08/09/kenyan-intelligence-not-happy-with-blackberry-donations/

Given that BlackBerry having been provided these services for awhile, why is it only now that the likes of India, Saudi Arabia, UAE etc are agitating for the right to sniff?